Date: Mon, 31 Jul 2000 10:43:22 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: schluntz@workofstone.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <200007310043.KAA26938@cairo.anu.edu.au> In-Reply-To: <200007310036.RAA10529@mail.workofstone.net> from "schluntz@timberwolf.workofstone.net" at "Jul 30, 0 05:32:15 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from schluntz@timberwolf.workofstone.net, sie said: > > >> > I came into this mess with mostly only PIX/FW1 experience... I'll admit > >> > some initial frustration when glancing over the man page, but after I > >> > decided to read it, word for word, and started toying with the examples, > >> > I've found ipfw's syntax/behavior to be (often) more appealing than the > >> > other products I use on a daily basis. > >> > > >> > -mrh > >> > >> one significant advantage of ipfw over FW1, aside from cost, > >> is that ipfw can test on which interface a packet arrives and/or > >> leaves. as far as i know, in FW1 its not possible to act upon packets > >> based upon which interface the packet hits. imagine wanting to screen > >> (spoofed) packets with the inside IP addresses arriving on the outside > >> interface. ;( > > > >If you're using FW-1 on Solaris, you can use IP Filter to do filtering > >before FW-1 in case you don't trust FW-1 :-) > > Or, if you really don't trust FW-1 on Solaris (but need some of it's > functionality and like a second layer of protection) put a Cicso (or > prefurably a FreeBSD box running ipfw) in front of it blocking all of > the hainus stuff and just let the FW-1 box do some of the granularity. > > This also protects your FW-1 box from some of the FW-1 related attacks. If you want to "add security" then you put in place something like a box with FWTK or Gauntlet. Layering packet filters does not add a second layer of protection, IMHO, just lets you stop FW-1 from crashing >;-) But you'd only use ipfw if you didn't know how to run up ipfilter in any case :-) Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007310043.KAA26938>